Re: reporting a web site breach

["David Glosser" <david.glosser () gmail com>]

so, you are suggesting, at a minimum, the web site should pay for free
credit reports and optional credit-freezes for all customers as part
of this class-action... hmmmm....


On Sun, Oct 19, 2008 at 7:04 PM, Chris Finley <cfinley () u washington edu> wrote:
> Should Jason file a class-action lawsuit on behalf of the customers of
> the site?
> Hear me out :)
>
> He said that he is a customer of the web site, so now his data is
> exposed, along with many other customers.
>
> The data may have been stolen already, a goal of the lawsuit should be
> to determine this, for the benefit of the site's customers.
>
> A minimum level of protection for personal and financial information can
> be expected from customers of a web site.
>
> The owner feels the financial losses from fixing the security issue
> (downtime) outweighs the risk to the customers. Until this changes,
> security will be poor. The site owner should have some fear that
> exposing customers to risk will have a financial cost.
>
> Your responses are appreciated,
> Chris
>
>
> On Thu, 2008-10-16 at 21:12 -0400, acey deucey wrote:
> > I think Jason has done more than his duty. I second calling a
> > reporter. That will certainly get some atention. Hell, contact 10
> > reporters.
> >
> >
> > On Oct 16, 2008, at 15:58, "Prodigi Child" <prodigi.child () gmail com>
> > wrote:
> >
> > > If the company refuses to do anything about it, and it is based in
> > > the US,
> > > try the FTC. If it is a bank, try the FDIC. Try to find an
> > > organization to
> > > which they must answer. If you have ABSOLUTELY NO other recourse,
> > > then I
> > > think you should act on the fact that the bad guys likely already
> > > know about
> > > the security hole, and as a last resort consider calling a journalist.
> > > Nothing like bad publicity to enact change in an organization :)
> > >
> > > -----Original Message-----
> > > From: listbounce () securityfocus com [mailto:listbounce () securityfocus com
> > > ] On
> > > Behalf Of jason_jones98 () hotmail com
> > > Sent: Thursday, October 16, 2008 7:01 AM
> > > To: pen-test () securityfocus com
> > > Subject: reporting a web site breach
> > >
> > > Hi Guys.
> > >
> > > I need some advise. I was using a web site to book a service (details
> > > witheld) and found that i could very easily browse thousands of
> > > customer
> > > details i.e. name, address, phone numbers, the credit card details are
> > > masked but just viewed source and the credit card details are
> > > cleartext
> > > along with valid from, expire and cvv number. I called the company
> > > last
> > > night to advise that they probably want to bring down their site and
> > > advise
> > > customers that their details have been potentially breached,
> > > basically they
> > > told me it would cost them too much money to go offline and that was
> > > that! I
> > > then attempted to call visa, mastercard and the high tech crime unit
> > > and
> > > none of them seem to have a process to report this type of event
> > > unless an
> > > actual crime has taken place. So for my sanity could someone advise
> > > me on
> > > the ethical steps i should take to try and protect those customers?
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Security Trends Report from Cenzic
> Stay Ahead of the Hacker Curve!
> Get the latest Q2 2008 Trends Report now
>
> www.cenzic.com/landing/trends-report
> ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------